The need to educate employees comes from two angles. The first is that educating users about cyber risks is an eminently sensible thing to do in order to try and prevent a potentially serious situation occurring.
The second is from a compliance and regulatory angle, where it’s a requirement, or a de facto requirement. Organisations may need to drive awareness because:
- they are in a regulated industry or similar
- because the supply chain they are in demands it
- because key clients insist on it
- there has been a breach and they must take corrective action to restore shareholder or consumer confidence.
In-house legal teams have an obvious role to play in helping to design a user education programme in not only ensuring they are covering what needs to be covered from a legal and compliance angle, but also because many teams may already play a role in helping to educate employees about potential areas of risk and can give valuable input.
What to cover
- The risk of using unauthorised applications and software (sometimes referred to as ‘shadow IT’)
- Password management – using the same password across different applications makes life easier for hackers
- Ensuring there is adequate encryption on machines and devices
- Being aware of phishing emails and other scams
- The consequences of all of the above and the related obligations of the employee to employer, customers and suppliers
Getting the message acrossThere are many different tactics to drive awareness. Here are four key methods:
Having clear information security policies
It helps to have very clear policies on information security which are easily understood by employees. For example, some companies classify the level of confidentiality or sensitivity of data (perhaps on a 1 to 4 scale) or content and make sure this is well understood by employees. They then may extend some rules about where this content or data can be stored. If this is widely known about then ideally employees will consider carefully before posting sensitive data onto a file sharing site, for example, minimising the risk of data breaches. Clear policies should also spell out what is expected in relation to using unsupported technologies for work purposes.
Communications and campaigns
Most companies have well-oiled communication channels including town-halls, intranets, email, video and cascaded messages through management. Featuring cyber security in regular communications or in focused campaigns can help to drive messages home. There is also the possibility to drive peer-to-peer communications, perhaps through a series of change champions.
E-learning and training
E-learning is an obvious path for training, particularly that which is driven by compliance, but it can tend to be a boring tick-the-box exercise for employees. More informal and targeted workshops which address the type of scenarios specific roles may face could be more effective, although face to face training will be hard to scale.
Sometimes awareness of cyber security can be driven as part of a wider programme about using digital tools. More imaginative approaches such as using games can also work. One option which can really help with awareness of phishing is to send simulated phishing emails to your own employees and then highlight the issues with the email for those who clicked on a link. Several companies offer this as a service, and the advantage is that progress can be tracked.
Sometimes cyber security awareness and training can be delivered as part of compliance-related processes, for example for new employees joining a firm or part of an annual declaration process.